What is wiper malware?

Wiper malware is a type of malicious software whose primary purpose is to erase or permanently destroy data on the systems it infects. Unlike ransomware, which encrypts data and demands payment for its release, the goal of a wiper is pure destruction, rendering computers and data unrecoverable.

Who is the 'IT Army of Ukraine'?

The IT Army of Ukraine is a volunteer cyber warfare group formed shortly after the 2022 invasion. Coordinated through the Telegram messaging app, it consists of Ukrainian and international IT specialists who conduct crowdsourced distributed denial-of-service (DDoS) and other cyberattacks against Russian government and corporate websites.

Has the cyber war spilled outside of Ukraine?

Yes. The most direct example was the Viasat satellite attack, which affected users across Europe. Additionally, pro-Russian hacktivist groups like Killnet have launched DDoS attacks against government and critical infrastructure websites in NATO countries and other nations that support Ukraine. The potential for a major destructive attack with global spillover, similar to NotPetya in 2017, remains a significant concern for security agencies worldwide.

What was the Viasat satellite attack (AcidRain)?

On February 24, 2022, hours into the full-scale invasion, Russian actors deployed a wiper malware called AcidRain that disabled tens of thousands of Viasat KA-SAT satellite modems. This disrupted internet service and communications for the Ukrainian military and civilians, as well as for thousands of users in other European countries. It is considered a prime example of a cyberattack directly supporting kinetic military operations.

The shadow war: A deep dive into the cyber conflict in Ukraine

Background: A conflict fought on two fronts

When Russian forces began their full-scale invasion of Ukraine on February 24, 2022, they initiated a conflict on two fronts: one of kinetic warfare and another, less visible but equally significant, in cyberspace. This digital battleground was not new. It was the violent escalation of a shadow war that had been simmering for years, marked by incidents like the 2015 and 2016 power grid attacks and the globally disruptive NotPetya wiper attack in 2017. However, the 2022 invasion fused cyber operations with military objectives on an unprecedented scale, making Ukraine a live laboratory for modern hybrid warfare.

Hours before tanks crossed the border, Ukrainian government and banking websites were hit with distributed denial-of-service (DDoS) attacks. Simultaneously, destructive wiper malware was being deployed to erase data from critical systems. This coordinated effort was designed to sow chaos, disrupt communications, and degrade Ukraine’s ability to respond. While the much-feared “cyber blitzkrieg” that would instantly cripple the nation did not materialize, the conflict has since been characterized by a persistent barrage of cyberattacks aimed at eroding Ukraine's infrastructure, government, and public morale.

Technical details: The arsenal of digital warfare

Russian state-sponsored advanced persistent threat (APT) groups have deployed a diverse and destructive toolkit against Ukrainian targets. Their tactics have evolved from simple website defacements to sophisticated attacks on critical infrastructure.

Key Threat Actors and Their Roles

Several well-known groups, primarily attributed to Russian intelligence agencies, have been at the forefront of this cyber offensive.

Sandworm (APT28): Attributed to Russia's GRU military intelligence, this highly capable group is responsible for some of the most audacious attacks, including the NotPetya incident and the Industroyer2 attack on Ukraine's energy grid.
Gamaredon (Primitive Bear): Linked to Russia's FSB, this group focuses on widespread espionage, using a high volume of phishing campaigns to gain initial access to Ukrainian government and military entities.
Killnet: A pro-Russian hacktivist collective, Killnet specializes in disruptive DDoS attacks against Ukraine and its allies, targeting government websites, airports, and financial institutions to create noise and sow panic.

The Wiper Malware Epidemic

A defining feature of the conflict has been the widespread use of wiper malware—malicious code designed not for financial gain but for the pure destruction of data. Shortly before the invasion, Microsoft identified WhisperGate, a multi-stage wiper masquerading as ransomware. This was quickly followed by a series of others:

HermeticWiper: Deployed on February 23, 2022, this wiper targeted hundreds of machines across Ukrainian organizations, corrupting the Master Boot Record (MBR) and making systems unbootable.
CaddyWiper: Appearing in mid-March 2022, this wiper was more targeted, carefully avoiding the destruction of domain controllers to maintain attacker access while erasing data on other systems.
Industroyer2: A direct descendant of the malware used in the 2016 power grid attack, this was deployed in April 2022 in an attempt to disrupt a Ukrainian energy provider. The attack was successfully thwarted by Ukrainian defenders with assistance from ESET and Microsoft.

Disrupting Communications: The Viasat Attack

Perhaps the most significant single cyber event of the initial invasion was the attack against Viasat's KA-SAT satellite network. On February 24, 2022, attackers deployed a wiper malware dubbed AcidRain against the satellite modems' management system. This rendered tens of thousands of satellite terminals in Ukraine and across Europe inoperable. The attack severely degraded Ukrainian military communications during the critical opening hours of the invasion and demonstrated a clear capability to blend cyber operations with kinetic military goals.

Impact assessment: A resilient defense against a persistent threat

The impact of this cyber war has been widespread, affecting government, military, critical infrastructure, and civilians. However, the outcome has defied many initial predictions, largely due to Ukraine's hardened defenses and unprecedented international support.

Who is affected?

The targets are comprehensive. Ukrainian government ministries, energy companies, telecommunication providers, financial institutions, and media outlets are under constant assault. The goal is a combination of espionage, disruption of essential services, and psychological warfare. Civilians are targeted through disinformation campaigns spread via social media and compromised news sites, as well as phishing attacks aimed at stealing personal data. The conflict's effects have also spilled over internationally. Pro-Russian hacktivists have targeted nations supporting Ukraine with DDoS attacks, and the risk of another NotPetya-style global incident remains a serious concern for security officials worldwide.

Severity and Ukrainian Resilience

While individual attacks have been severe, Ukraine's overall cyber resilience has been remarkable. Having been a target of Russian cyber aggression since at least 2014, the country's defenders were not caught unprepared. Government agencies like the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) and CERT-UA have worked tirelessly to fend off attacks. This defense has been massively bolstered by a global coalition of public and private partners. Tech giants like Microsoft, Google, and Amazon have provided threat intelligence, cloud infrastructure, and defensive tools, while Western governments have shared intelligence and expertise. The formation of the volunteer "IT Army of Ukraine" has also added a unique crowdsourced element to the conflict, launching retaliatory attacks against Russian targets.

How to protect yourself

While the primary theater of this cyber war is in Ukraine, the tactics and tools used by state-sponsored actors have global reach. Organizations and individuals should adopt a heightened security posture.

For Organizations

Assume You Are a Target: Any organization, particularly in critical infrastructure, government, or logistics, could be targeted for disruption or as part of a supply chain attack.
Strengthen Access Controls: Enforce multi-factor authentication (MFA) across all services. This remains one of the most effective defenses against credential theft.
Patch Aggressively: Russian APTs frequently exploit known vulnerabilities. A rigorous patch management program is essential to close these entry points.
Plan for the Worst: Develop and test an incident response plan. Ensure you have offline, immutable backups to recover from a destructive wiper or ransomware attack.
Share Intelligence: Participate in information sharing and analysis centers (ISACs) within your industry to stay informed about relevant threats.

For Individuals

Be Skeptical of Communications: State-sponsored phishing campaigns are sophisticated. Scrutinize any email or message that asks for credentials or urges immediate action, even if it appears to be from a trusted source.
Maintain Digital Hygiene: Use strong, unique passwords for every account, managed with a password manager. Keep your software and operating systems updated to protect against the latest threats.
Secure Your Connection: Your data is valuable to threat actors. Using tools like a VPN service can add a layer of protection by encrypting your internet traffic, particularly on untrusted public Wi-Fi networks.
Verify Information: Be a critical consumer of news and information. Disinformation is a key tool in this conflict. Seek out multiple, reputable sources before sharing or believing claims made on social media.